Archive

Can large messages be scrolled if put inside a table?

Explorer

I have a table with Message field and host,
the message is about 100 lines long and i want to add scrolling feature so that by default it shows 10 lines and rest scrollbar can be used if user want to see more data in message field. Is this possible?

Tags (1)

SplunkTrust
SplunkTrust

@JuhiSaxena, ideally as suggested you should implement Table Tooltip so that Message details is displayed on mouse hover over specific Message: https://www.splunk.com/blog/2014/01/29/add-a-tooltip-to-simple-xml-tables-with-bootstrap-and-a-custo...

If you want to have an option to switch between truncated message and complete message you can try something based off the following run anywhere example implemented using Simple XML.

When Message is truncated using Hide Details(default behavior):

alt text

When the complete Message is displayed with scrollbar using Show Details option:

alt text

Following is the Simple XML run anywhere code based on Splunk's _internal index for your reference:

<form>
  <label>Table Row Truncation and Expansion</label>
  <fieldset submitButton="false">
    <input type="radio" token="tokShowHideRadio" searchWhenChanged="true">
      <label>Message Details</label>
      <choice value="show">Show</choice>
      <choice value="hide">Hide</choice>
      <change>
        <condition value="show">
          <set token="tokShowDetails">Message</set>
        </condition>
        <condition>
          <set token="tokShowDetails">Message_Abbr</set>
        </condition>
      </change>
      <default>hide</default>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>tokShowDetails: $tokShowDetails$, tokShowHideRadio: $tokShowHideRadio$</title>
      <table>
        <search>
          <query>index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by message
| eval Message_Abbr=substr(message,0,30)."..."
| sort - count
| head 10
| rename message as Message
| table $tokShowDetails$ count</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">false</option>
      </table>
    </panel>
  </row>
</form>

Please try out and confirm whether one of the options above i.e. Tooltip or Show/Hide details option will suffice your needs.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

SplunkTrust
SplunkTrust

@JuhiSaxena can you add a sample of your current output and the query used?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

This i how my data looks:

Host Message
Dev machine [root] [cmef:136] INFO - Running on : clv035pw-568364
[root] [cmef:137] INFO - dask version : 400.88
[root] [cmef:138] INFO - Pypimco version : 1.1297.8
[root] [cmef:139] INFO - PYTHONPATH: e:\apps\pimcloud\pimco_common\pypimco\1.1297.8\pypimco\pypimlib\lib;e:\vendor\pimcloud\pimco_common\pypimco_infra
[root] [cmef:140] INFO - PYPIMLIB_ORACLE_HOME: C:\oracle\product\11.2.0\client64
[root] [cmef:141] INFO - PYPIMLIB_SYBASE_HOME: C:\Sybase16
[root] [cmef:142] INFO - PYPIMLIB_HOME: e:\apps\pimcloud\pimco_common\pypimco\1.1297.8\pypimco\pypimlib
[root] [cmef:143] INFO - PYPIMLIB_LIB_PATH: e:\apps\pimcloud\pimco_common\pypimco\1.1297.8\pypimco\binary\pimlib
[root] [cmef:144] INFO - PYPIMLIB_OCS: 16_0
[root] [cmef:145] INFO - Log File Path: \nasprodpm4\cmef\dask\logs\clv035pw-568364_7200.log
[root] [cmef:146] INFO - Running the following
[root] [cmef:147] INFO - from analytics.qdd.brazil_offshore_swaps.brazil_swap_offshore_test import main
[root] [cmef:231] INFO - main('//nasprodpm4/cmef/qdd/brazil_offshore_swap/output/','2017-01-01','prod',)
[root] [cmef:232] INFO - =========================================================================================================================
[root] [cmef:254] INFO - =========================================================================================================================
[root] [files:43] INFO - searching for //nasprodpm4/cmef/qdd/brazil_offshore_swap/output/20180217-170238\brazil_curve_20180217.csv in the directory
[root] [files:43] INFO - searching for //nasprodpm4/cmef/qdd/brazil_offshore_swap/output/20180217-170238\brazil_curve_for_validation_20180217.csv in t
[root] [files:68] INFO - reading the new data
[root] [generic_checks:154] INFO - checking overlapping date: 2017-07-11
[root] [generic_checks:161] INFO - checking ticker = SWAP_XS_BRL_5Y_OFFS_BRL
[root] [generic_checks:161] INFO - checking ticker = SWAP_XS_BRL_5Y_OFFS_USD
[root] [generic_checks:161] INFO - checking ticker = SWAP_XS_BRL_5Y_OFFS_USD_T
[root] [generic_checks:302] CRITICAL - bad overlap between the existing and the new data
[root] [generic_checks:49] INFO - the tickers in the new file match those in the baseline file
[root] [modelverifier:43] INFO - Folder to analyze 20180217-170238

And the query used :
...| stats values(msg) by Host | rename values(msg) as Message |fields + Host,Message | head 3

I used substr() but it would cut down my data to some limit. I want entire message with first 10 lines of Message to be displayed and rest should be scrollable .

Thanks

0 Karma

SplunkTrust
SplunkTrust

Seems like your intent is to see first three events per host. With the data presented I am not sure what exactly is msg field (whether it is same as _raw or is it everything after INFO -). Can you please confirm? Also could you explain why are you trying values(msg)? Do you need only last or latest msg or all unique messages per host for the time selected?

<yourBaseSearch>
| stats latest(msg) as Message by Host
| head 3

Stats field will retain only two fields so there is no need for explicit fields + after that.

Refer to the Splunk Blog example to show Table Tool Tip Text with complete detail while the table text shows only partial text: https://www.splunk.com/blog/2014/01/29/add-a-tooltip-to-simple-xml-tables-with-bootstrap-and-a-custo...

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

It is same as _raw and I need all unique messages per host. Also I need top 3 events that is why head 3. However within one single event I want _raw message to be upto (lets suppose) 150 characters and rest should be scrollable.

0 Karma

SplunkTrust
SplunkTrust

There are at least two options:

  1. Display the first n characters or lines of the message in the table, add a row expansion handler in JS that displays the entire message when the row is expanded
  2. Display the entire message in the table, add a cell renderer in JS that sets the cell to a maximum height and vertical overflow mode to scroll in CSS

I'm not aware of a purely SimpleXML way.